This was the original strategy that was used; however it was initially abandoned because getting successful compilation in a workspace that already declares a lot of Go dependencies is non-trivial.
This will represent a breaking WORKSPACE change, as the Go toolchain is currently optional and this will make it a mandatory dependency.
In addition, importing Gazelle will be necessary to achieve this change, which will make Gazelle available to the github.com/bazelbuild/bazel-gazelle/rule package available for use within //tools/grype_updater.
The benefit of building from source is that we then "automatically" support any platform for which a Go toolchain is available. The current form supports a variety of platforms via select statements, however many of those configurations are completely untested as the primary author's development workstation and the CI build server are both linux-amd64 targets. It also greatly increases "toil" of updates as the binary for each supported platform must be updated manually with each new upstream release in order to stay up-to-date.
This was the original strategy that was used; however it was initially abandoned because getting successful compilation in a workspace that already declares a lot of Go dependencies is non-trivial.
This will represent a breaking
WORKSPACEchange, as the Go toolchain is currently optional and this will make it a mandatory dependency.In addition, importing Gazelle will be necessary to achieve this change, which will make Gazelle available to the github.com/bazelbuild/bazel-gazelle/rule package available for use within
//tools/grype_updater.The benefit of building from source is that we then "automatically" support any platform for which a Go toolchain is available. The current form supports a variety of platforms via
selectstatements, however many of those configurations are completely untested as the primary author's development workstation and the CI build server are both linux-amd64 targets. It also greatly increases "toil" of updates as the binary for each supported platform must be updated manually with each new upstream release in order to stay up-to-date.